Let's talk a bit about CA-based SSH and TOFU, because this is really why I hate the guts out of how SSH works by default (TOFU) and why I'm amazed that so few people even know about certificate-based SSH.

So for a while now I've been ogling CA-based SSH to solve the issues with key distribution and replacement. Because SSH does 2-way verification, this is relevant to both the host key (which changes on e.g. reinstallation) and user keys (ever replaced one? Yeah that's the problem).

So in my own network I've signed all my devices' host keys a few days ago (user keys will come later). And it works great! Except... Because I wanted to "do it right straight away" I signed only the ED25519 keys on each host, because IMO that's what all the keys should be using. My user keys use it, and among others the host keys use it too. But not by default, which brings me back to this error message.

If you look closely you'd find that the host key did not actually change. That host hasn't been replaced. What has been replaced however is the key this client got initially (i.e. TOFU at work) and the key it's being presented now. The key it's comparing against is ECDSA, which is one of the host key types you'd find in /etc/ssh. But RSA is the default for user keys so God knows why that one is being served... Anyway, the SSH servers apparently prefer signed keys, so what is being served now is an ED25519 key. And TOFU breaks and generates this atrocity of a warning.

This is peak TOFU at its worst really, and with the CA now replacing it I can't help but think that this is TOFU's last scream into the void, a climax of how terrible it is. Use CA's everyone, it's so much better than this default dumpster fire doing its thing.

PS: yes I know how to solve it. Remove .ssh/known_hosts and put the CA as a known host there instead. This is just to illustrate a point.

Also if you're interested in learning about CA-based SSH, check out https://ibug.io/blog/2019/... and https://dmuth.org/ssh-at-scale-cas-... - these really helped me out when I started deploying the CA-based authentication model.

Google: we want to crack down on adblockers in Chrome and remove APIs. If we threw out Chrome store extensions that use the old ad blocking APIs, Chromium forks would be hit as well, haha!

Vivaldi: we've integrated DuckDuckGo based ad and tracker blocking right into our Chromium based browser. Also for Android now, haha!

Online tutorial pet peeves
————————————

My top 10 points of unsolicited ranting/advice to those making video tutorials:

1. Avoid lots of pauses, saying “umm” too much, or other unnecessary redundancy in speech (listen to yourself in a recording)

2. If I can’t understand you at 1.5 - 2x playback speed and you don’t already speak relatively quickly and clearly, I’m probably not going to watch for long (mumbling, inconsistent microphone volume, and background noise/music are frequent culprits)

3. It’s ok to make mistakes in a tutorial, so long as you also fix them in the tutorial (e.g., the code that is missing a semicolon that all of a sudden has one after it compiles correctly — but no mention of fixing it or the compiler error that would have been received the first time). With that said, it’s fine to fix mistakes pertinent to the topic being taught, but don’t make me watch you troubleshoot your non-relevant computer issues or problems created by your specific preferences (e.g., IDE functionality not working as expected when no specific IDE was prescribed for the tutorial)

4. Don’t make me wait on your slow computer to do something in silence—either teach me something while it’s working or edit the video to remove the lull

5. You knew you were recording your screen. Close your email, chat, and other applications that create notifications before recording. Or at least please don’t check them and respond while recording and not edit it out of the video

6. Stay on topic. I’m watching your video to learn about something specific. A little personality is good, but excessive tangents are often a waste of my time

7. [Specific to YouTube] Don’t block my view of important content with annotations (and ads, if within your control)

8. If you aren’t uploading quality HD recordings, enlarge your font! Don’t make me have to guess what character you typed

9. Have a game plan (i.e., objectives) before hitting the record button

10. Remember that it’s easier to rant and complain than to do something constructive. Thank you for spending your time making tutorial videos. It’s better for you to make videos and commit all my pet peeves listed above than to not make videos at all—don’t let one guy’s rant stop you from sharing your knowledge and experience (but if it helps you, you’re welcome—and you just might gain a new viewer!)

In case you thought Google didn't know what you spend your money on.

https://myaccount.google.com/purcha...

Short horror story: a coworker of mine renamed a directory in the git repo from ABC to abc. All MacOS users found their repos completely broken after pulling the changes. They didn't know that Apple's crappy HFS+ filesystem was case-insensitive.

I have ~10 coworkers, and each of them wasted at least 1 hour manually fixing this problem. This is like not working for more than a day.

(I'm forced to use a Mac too, but I use an ext3 volume for repositories.)

People complaining "oh I always have trouble figuring out if the clock goes forwards or backwards in October"

Bitch please, I'm dealing with 12 databases, with SQL dates as local timezone timestamps, and an influxDB in UTC. I'm dealing with a backend server configured in CEST and a middleware layer configured in Pacific time, and a hundred functions which try to keep everything straight because no one dares to migrate it all to UTC at this point.

In the whole argument about DST you hear about sleep psychology, electricity bills and farmers.

But what about me, the poor database administrator? What about all these ugly legacy systems, what about all the UX designers trying to fix time input pickers?

I spend 2 months a year in agony having nightmares of rips and folds in the flow of time. DAYLIGHT SAVING DOESN'T FUCKING MAKE SENSE HOW CAN TIME EXIST TWICE?

Friend of mine killed his MacBook with some Softdrink.

Just poured it all over his poor a1502.

He let it dry for a few days, it starts to work again.
Except the battery.

Goes on Amazon and buys a new battery.

New battery doesn't work either and so he tells me about it and I as stupid as I am couldn't resist the temptation to finally work on a MacBook like my "hero" Lois Rossmann does.

So turns out the board is good.
Cleaned it up and basically nothing happened to it.

So what's the deal with "los batlerias"?

The first got hit by liquid, the second had a broken connection to a cell.
That could have happened through my friend, installing it without testing it first, or at the seller, so it being a DOA battery.

Now away from the stupidity of my friend and the situation to the actual source for this rant.

Once something happens to a modern Managed battery, the Battery Management System (BMS) disconnects the voltage from the system and goes into an error state, staying there and not powering anything ever again.
For noobs, it's dead. Buy a new one.

But It can be reset, depending you know how to, and which passwords were set at the factory.
Yes, the common Texas instruments BQ20Zxx chips have default passwords, and apple seems to leav them at default.

The Usb to SMBus adaptors arrived a few days ago and I went to prod the BMS.

There is a very nice available for Windows called BE2works, that I used the demo of to go in and figure out stuff. The full version supports password cracking, the demo not.

After some time figuring out how Smart Battery Systems (SBS) "API" works, I got to actually enter the passwords into the battery to try get into manufacturer and full access mode.

Just to realise, they don't unlock the BMS.

So, to conclude, my friend bought a "new" battery that was most likely cut out of a used / dead macbook, which reports 3000mah as fully charged instead of the 6xxx mah that it should have, with 0 cycles and 0hours used.
And non default access.

This screams after those motherfuckers scaming the shit out of people on Amazon, with refurb, reset, and locked fucken batteries.

I could kill those people right now.

Last but not least,
My friend theoretically can't send it back because I opened the battery to fix the broken connection.
Though maybe, it'll get send back anyway, with some suprise in the package.

Any rubik’s cube fan?
I ordered a rubik’s cube to help me when I faced a bug since I don’t know how to use the rubber duck